wyreup
inspect

Webhook Verify

Verify a webhook signature against its payload using HMAC. Matches the Stripe / GitHub / Slack convention (HMAC-SHA256 with hex digest). Constant-time compare so timing attacks can't lift the signature.

Loading…

About Webhook Verify

Webhook Verify checks that a webhook payload genuinely came from its sender by recomputing the HMAC-SHA256 signature and comparing it, in constant time, to the one in the request. It follows the convention used by Stripe, GitHub, and Slack — HMAC-SHA256 with a hex digest — so you can confirm a signing secret and payload match before trusting the data. The comparison is constant-time so timing differences can't be used to recover the signature, and it all runs in your browser.

Category
inspect
Input
Accepts: */*.
Output
Outputs: application/json.
Cost
Free, runs in your browser
Memory
low
Privacy: Webhook Verify runs entirely on your device. Files you provide never leave your browser — no uploads, no server, no tracking. The page works offline once loaded.

Common uses

  • Debug why a Stripe webhook is failing signature verification by checking the payload and secret directly
  • Confirm a GitHub webhook's X-Hub-Signature-256 header matches before wiring up the handler
  • Validate a Slack request signature against your signing secret during integration
  • Reproduce a signature mismatch from production logs to find whether the body was altered in transit
  • Sanity-check your own server's verification logic against a known-good payload and digest

Frequently asked questions

Which signature scheme does it use?

HMAC-SHA256 with a hex digest, the same convention Stripe, GitHub, and Slack follow. You provide the raw payload, the signing secret, and the signature to check against.

Why does constant-time comparison matter?

A naive byte-by-byte compare can leak how much of the signature matched through timing, which an attacker could exploit. This tool compares in constant time so no such signal exists.

Is my signing secret uploaded?

No. Verification runs entirely in your browser. Your webhook payload and secret never leave your device, which is exactly what you want for a production signing key.

What does it return?

JSON indicating whether the supplied signature is valid for the payload and secret — a clear match or no-match result.

Does the exact byte content of the payload matter?

Yes. HMAC is computed over the raw body, so any change in whitespace or encoding produces a different signature. Use the exact bytes your endpoint received.

Keywords

  • webhook
  • verify
  • hmac
  • signature
  • stripe
  • github
  • slack
  • security

Try next

Signed URL
inspect

Verify HMAC-signed URLs with the same recompute-and-compare approach used here
JWT Sign
inspect

When the auth is a bearer token rather than a request signature, build and test HS-signed JWTs
Hash
inspect

Compute raw SHA-256 digests when you're debugging the hashing layer beneath the HMAC
Color Palette
inspect

Extract dominant colors from an image as hex codes.
Image Diff
inspect

Pixel-level diff between two images of the same dimensions.
Image Info
inspect

Extract dimensions, format, and metadata from an image.
PDF Info
inspect

Extract page count and metadata from a PDF.
Hash
inspect

Compute SHA-256, SHA-1, or SHA-512 hashes of files.
JSON Formatter
inspect

Parse and pretty-print JSON with configurable indentation.
Extract PDF Tables
export

Extract tabular data from a PDF as JSON or CSV. Works well for simple tables with aligned columns and no merged cells. Complex tables, rotated text, and scanned PDFs (images) will not extract cleanly.
Topic Keywords
text

Pull the topic-bearing nouns and noun phrases out of any text. Answers "what is this about" — not "what words appear most" (try Text Frequency for that). Runs entirely in your browser.